Reference: Anti-malware settings
Client Interface
Display additional text to clients when they need to perform an action
Set a custom message to display to users when they need to perform an action. The string must be less than 1024 characters.
Example: Contact our company help desk at 555-1212 for more help.
Display notifications to clients when they need to perform actions
Configure whether to display notifications to users when they need to perform an action.
Enable headless UI mode
Configure whether to display the Windows Defender UI to users.
Suppresses reboot notifications
Configure whether to show reboot notifications.
Exclusions
Extension Exclusions
Specify file extensions excluded from scanning.
IP address range Exclusions
Exclude IP addresses from network scanning.
Example: 157.1.45.123-60.1.1.1
Path Exclusions
Specify file paths excluded from scanning.
Example: C:\Program Files
Port number Exclusions
Exclude TCP ports from network scanning.
Example: 17472
Process Exclusions for outbound traffic
Exclude outbound traffic from a process from network scanning.
Example: C:\Windows\Program.exe
Threat ID Exclusions
Exclude specific threats from network scanning.
Example: 2925110632
Turn off Auto Exclusions (Defender Only)
Turn Automatic Exclusions on or off.
MAPS
Configure local setting override for reporting to MAPS
Allow the local preference for joining the Microsoft Active Protection Service to override group policy.
Join MAPS
Join the Microsoft Active Protection Service.
Send file samples when further analysis is required
Configure how samples are sent to the Microsoft Active Protection Service.
Network Inspection System
Define the rate of detection events for logging
Control the time interval in minutes for logging of detection events. Each event is logged at most once per time interval.
Example: 30
Default: 60
Specify additional definition sets for network traffic inspection
Specify additional definition sets to enable for network scanning. Each value should be a GUID of a definition set to enable.
Example: {b54b6ac9-a737-498e-9120-6616ad3bf590}
Turn on definition retirement
Control whether Windows Defender scans for known network vulnerabilities after they are patched.
Turn on protocol recognition
Control whether network protocol recognition is used to protect against attacks from known vulnerabilities.
Quarantine
Configure local setting override for the removal of items from Quarantine folder
Allow the local preference for the number of days to keep items in the quarantine folder to override group policy.
Real-time Protection
Configure local setting override for monitoring file and program activity on your computer
Allow the local preference for file and program activity to override group policy.
Configure local setting override for monitoring for incoming and outgoing file activity
Allow the local preference for monitoring of incoming and outgoing file activity to override group policy.
Configure local setting override for scanning all downloaded files and attachments
Allow the local preference for scanning downloaded files and attachments to override group policy.
Configure local setting override for turn on behavior monitoring
Allow the local preference for behavior monitoring to override group policy.
Configure local setting override for turn on script scanning (SCEP Only)
Enable or disable script scanning. Setting is enabled by default.
Configure local setting override to turn off Intrusion Prevention System
Allow the local preference for network scanning to override group policy.
Configure local setting override to turn on real-time protection
Allow the local preference for turning on real-time protection to override group policy.
Configure monitoring for incoming and outgoing file and program activity
Configure whether incoming or outgoing files are scanned. On servers with heavy network traffic, disabling scanning for a particular direction can help to achieve optimal network performance. This setting is only applicable to NTFS volumes.
Define the maximum size of downloaded files and attachments to be scanned
Configure the maximum size of downloaded files and attachments to scan. The value is the maximum file size in kilobytes.
Example: 524288
Monitor file and program activity on your computer
Configure monitoring of file and program activity.
Scan all downloaded files and attachments
Configure scanning of downloaded files and attachments.
Turn off real-time protection
Configure whether users are prompted when known malware is detected.
Turn on behavior monitoring
Turn behavior monitoring on or off.
Turn on Information Protection Control
Turn Information Protection Control on or off.
Turn on network protection against exploits of known vulnerabilities
Configure network protection from known vulnerabilities.
Turn on process scanning whenever real-time protection is enabled
Configure whether all processes are scanned when real-time protection is first turned on. This can detect malware that starts when real-time protection is off.
Turn on raw volume write notifications
Configure notifications of raw volume writes.
Turn on script scanning (SCEP Only)
Configure script scanning.
Remediation
Configure local setting override for the time of day to run a scheduled full scan to complete remediation
Allow the local preference for the scheduled scan time to override group policy.
Specify the day of the week to run a scheduled full scan to complete remediation
Schedule the day of the week to perform a full scan.
Specify the time of day to run a scheduled full scan to complete remediation
Specify the time of day to perform a full scan. The value is the number of minutes past midnight in the local time for the endpoint to perform the scan.
Example: 180
Reporting
Configure time out for detections in critically failed state
Set the time in minutes for a "critically failed" detection to move to "additional action" or be "cleared."
Example: 7200
Configure time out for detections in non-critical failed state
Set the time in minutes to "clear" a "non-critically failed" detection.
Example: 7200
Configure time out for detections in recently remediated state
Sets the time in minutes to "clear" a "completed" detection.
Example: 7200
Configure time out for detections requiring additional action
Set the time in minutes to "clear" an "additional action."
Example: 7200
Configure Watson events (SCEP Only)
This policy setting allows you to configure whether or not Watson events are sent. This value has been deprecated as of the February 2015 anti-malware platform update (http://support.microsoft.com/kb/3036437).
Configure Windows software trace preprocessor components
Configure Windows software trace preprocessor.
Configure WPP tracing level
Configure tracing levels for Windows software trace preprocessor (WPP Software Tracing). The allowed values are (1) Error (2) Warning (3) Info (4) Debug.
Example: 1
Scan
Allow users to pause scan
Allow users to pause a scan while it is in progress.
Check for the latest virus and spyware definitions before running a scheduled scan
Check for new virus and spyware definitions before running a scan. This does not apply to scans started manually from the user interface.
Configure local setting override for maximum percentage of CPU utilization
Allow the local preference for maximum CPU utilization to override group policy.
Configure local setting override for schedule scan day
Allow the local preference for the scheduled scan day to override group policy.
Configure local setting override for scheduled quick scan time
Allow the local preference for the scheduled quick scan time to override group policy.
Configure local setting override for scheduled scan time
Allow the local preference for the scheduled scan time to override group policy.
Configure local setting override for the scan type to use for a scheduled scan
Allow the local preference for the scan type to use during a scheduled scan to override group policy.
Create a system restore point
Configure whether a daily system restore point is created on an endpoint before it is cleaned.
Define the number of days after which a catch-up scan is forced (Defender Only)
Specify the number of consecutive scheduled scans that can be missed until a forced catch-up scan is run.
Example: 2
Default: 2
Run full scan on mapped network drives
Configure whether mapped network drives are scanned.
Scan archive files
Configure whether archive files are scanned. Archive files are .zip or CAB files.
Scan network files
Configure whether network files are scanned.
Scan packed executables
Configure whether packed executables are scanned.
Scan removable drives
Configure whether removable drives, such as USB flash drives, are scanned when running a full scan.
Specify the interval to run quick scans per day
Configure the quick scan interval in hours. The value 0 means that quick scans are never scheduled.
Example: 24
Default: 0
Specify the maximum depth to scan archive files
Set the maximum directory depth that archive files are unpacked during scanning. Archive files are .zip or CAB files.
Example: 1
Default: 0
Specify the maximum percentage of CPU utilization during a scan
Set the maximum percentage CPU utilization allowed during a scan. Valid percentage values can range from 5 to 50. The value 0 means that there is no limit.
Example: 5
Default: 50
Specify the maximum size of archive files to be scanned
Set the maximum size of archive files that are scanned. Archive files are .zip or CAB files. The value is the number of kilobytes. The value 0 means that there is no size limit.
Example: 1048576
Default: 0
Specify the scan type to use for a scheduled scan
Specify the scan type used during scheduled scans. By default, scheduled scans use quick scans.
Specify the time for a daily quick scan
Specify the time of day when a daily quick scan runs. The value is the number of minutes past midnight in the local time for the endpoint to perform the scan.
Example: 180
Default: 120
Start the scheduled scan only when computer is on but not in use
Set whether scans should only begin if the endpoint is idle.
Turn on catch-up full scan
Configure whether to start a full scan if two consecutive scheduled scans are missed. The full scan starts the next time someone logs in after the scheduled scans are missed.
Turn on catch-up quick scan
Configure whether to start a quick scan if two consecutive scheduled scans are missed. The quick scan starts the next time someone logs in after the scheduled scans are missed.
Turn on e-mail scanning
Configure whether email and email attachments are scanned.
Turn on heuristics
Heuristics improve the capabilities of Windows Defender to flag new threats.
Turn on removal of items from scan history folder
Configure the number of days that items are kept in the scan history folder before being permanently removed. The value 0 means that items are never removed from the history folder.
Example: 7
Default: 30
Turn on reparse point scanning
Configure whether reparse points are scanned. Reparse points are followed to a maximum depth, so a recursive reparse point might slow down scanning, but it does not cause an error.
Signature Updates
Allow definition updates from Microsoft Update
Enable definition updates to be downloaded from Microsoft Update even if Automatic Updates are configured to use a different download source.
Allow definition updates when running on battery power
Configure whether definitions are updated when an endpoint is running on battery power.
Allow notifications to disable definitions based reports to Microsoft MAPS
Enable receiving notifications from MAPS to disable definitions that are causing false positives. MAPS must be configured on an endpoint to successfully use this functionality.
Allow real-time definition updates based on reports to Microsoft MAPS
Enable real-time definition updates if MAPS finds that the latest definition update has definitions for a threat involving an unknown file. MAPS must be configured on an endpoint to successfully use this functionality.
Check for the latest virus and spyware definitions on startup
Specify whether definition updates should be checked at service startup.
Define file shares for downloading definition updates
Set UNC file shares for downloading definition updates. The file shares are tried in the order specified.
Example: \\corp\updates
Define the number of days after which a catch-up definition update is required
Specify the number of days that can pass before a forced catch-up definition update.
Example: 7
Default: 1
Define the number of days before spyware definitions are considered out of date
Set the number of days that can pass before spyware definitions are considered out of date.
Example: 7
Default: 14
Define the number of days before virus definitions are considered out of date
Set the number of days that can pass before virus definitions are considered out of date.
Example: 7
Default: 14
Define the order of sources for downloading definition updates
Specify the order for definition update sources to be contacted.
Initiate definition update on startup
Configure whether definitions are updated on startup when there is no antimalware engine.
Specify the day of the week to check for definition updates
Specify the day of the week to check for definition updates. By default, updates are checked every day.
Specify the interval to check for definition updates
Specify the definition update check interval in hours.
Example: 12
Specify the time to check for definition updates
Specify the time of day to check for definition updates. The value is the number of minutes past midnight in the local time for the endpoint to check for definition updates. By default, definition updates are checked 15 minutes before the scheduled scan time.
Example: 120
Turn on scan after signature update
Configure whether a scan should start after a definition update.
System Center Endpoint Protect
Turn on Potentially Unwanted Application (PUA) detection (SCEP Only)
Block PUAs from being downloaded through Internet Explorer, Firefox, and Chrome.
Turn on threat file hash logging (SCEP Only)
Record any detected threat files in the event log for additional research and correlation with other threat streams.
Turn on virus definitions (SCEP Only)
Manage virus definitions used during a scan.
Threats
Specify threat alert levels at which default action should not be taken when detected
Customize the remediation action to take for each threat alert level.
Specify threats upon which default action should not be taken when detected
Customize the remediation action to take for each detected Threat ID.
Windows Defender
Allow antimalware service to remain running always
Choose whether the Windows Defender service keeps running when virus and spyware definitions are disabled.
Allow antimalware service to startup with normal priority
Modify the startup priority of the Windows Defender service. This might impact performance.
Configure local administrator merge behavior for lists
Control whether local preferences for exclusions and threats are merged with group policy.
Define addresses to bypass proxy server
Bypass the proxy for a specific IP address. The value must be a valid URL.
Define proxy server for connecting to the network
Configure a proxy to use for downloading definition updates or reporting events to MAPS. By default, the following settings are used in order: (1) Internet Explorer proxy settings (2) Auto-detect (3) None.
Randomize scheduled task times
Randomize the start time of scheduled tasks.
Turn off routine remediation
Control whether Windows Defender automatically remediates threats.
Turn off Windows Defender
Turn Windows Defender on or off.
Last updated: 8/29/2019 10:55 AM | Feedback